如何將LIKE'%%'轉換爲用戶輸入

Question

您好我正在嘗試創建一個商店定位器和部件查找器，ATM我有一個SQL查詢，使用LIKE獲得所有答案，有1在這個連接到PHP輸入以及如何將LIKE'%%'子句從具體變爲用戶放入表單中的任何內容，但是獲得與我給出的結果相同的結果，因此如果我輸入1，它將顯示所有部分如果我輸入4，它也是一樣的。我的代碼是：

<head> 
     <?php 
     $serverName = "127.0.0.0"; 
     $connectionInfo = array("Database"=>"db", "UID"=>"id", "PWD"=>"pwd"); 
     $conn = sqlsrv_connect($serverName, $connectionInfo); 
     if($conn === false) 
     { 
      die(print_r(sqlsrv_errors(), true)); 
     } 
     $sql = "SELECT  dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
          dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances 
       FROM  dbo.Customer INNER JOIN 
          CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
          dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN 
          Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company 
       WHERE  Part.partnum LIKE '%%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150) 
       ORDER BY distances "; 

     $stmt = sqlsrv_query($conn, $sql); 
     if($stmt === false) 
     { 
      die(print_r(sqlsrv_errors(), true)); 
     } 
     while($row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC)) { 
     echo $row['name']."<br/>".$row['address1']."<br/>".$row['state']."<br/>".$row['zip']."<br/>".$row['phonenum']."<br/>".$row['distances']."<br/>".$row['partnum']."<br/>" 
     .$row['description']."<br/>"; 
     } 
     sqlsrv_free_stmt($stmt); 
     ?> 
</head> 
    <body> 
     part = <?php echo $_POST["part"];?> 
    </body> 

Answer 1

首先，我會建議你使用PDO，而不是sqlsrv_*()功能。這裏有這樣一個例子：

$sql = "SELECT  dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
          dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances 
       FROM  dbo.Customer INNER JOIN 
          CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
          dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN 
          Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company 
       WHERE  Part.partnum LIKE '%?%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150) 
       ORDER BY distances "; 
$dbh = new PDO('sqlsrv:Server=localhost;Database=testdb', DB_USER, DB_PASS); 
$stmt = $dbh->prepare($sql); 
$stmt->execute(array($_GET['users_input'])); 

當​​被稱爲?我已經添加到您的查詢將通過數組中的值替換。有關更多信息，請參見http://www.php.net/manual/en/pdo.prepared-statements.php。

很明顯，您可能想要在將其傳遞到​​之前驗證用戶輸入。